migrating your lan to ieee 802 - core it...
TRANSCRIPT
Migrating Your LAN to IEEE 802.1X
Gaweł Mikołajczyk [email protected] Consulting Systems Engineer, Emerging Markets East CCIE #24987, CISSP-ISSAP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 2
Session Objectives
• How 802.1X works
• The benefits of deploying 802.1X
• How to configure and deploy 802.1X using Cisco switches, ACS 5.1 and various supplicants.
• How to integrate existing technologies such as IP telephony, guest access, PXE, etc
• The value and application of deployment scenarios
• How to make this work when you get back to your lab
At the end of the session, you should understand:
• Provide us with feedback!
You should also:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 3
Identity and Authentication Overview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 4
Who are you?
802.1X (or supplementary method) authenticates the user
Why Identity Is Important
1
What service level to you receive?
The user can be given per-user services (ACLs today, more to come)
3
What are you doing?
The user‘s identity and location can be used for tracking and accounting
4
Where can you go?
Based on authentication, user is placed in correct VLAN
2
Keep the Outsiders Out
Keep the Insiders Honest
Personalize the Network
Increase Network Visibility
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 5
IEEE 802.1X: The Foundation of Identity
Supplicant (802.1X Client)
AuthenticationServer
RADIUS
Authenticator (e.g. Switch,
Access Point)
EAP over LAN
(EAPoL) RADIUS
IEEE 802.1 working group standard
Provides port-based access control using authentication
Defines encapsulation for
Extensible Authentication
Protocol (EAP) over IEEE
802 media— ―EAPoL‖
Enforcement via MAC-
based filtering and port-
state monitoring
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 6
Default Port State without 802.1X
No visibility
No Access Control
No Authentication Required
?
USER
?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 7
Default Security with 802.1X
No visibility (yet)
Strict Access Control
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
ALL traffic except EAPoL is dropped
One Physical Port ->Two Virtual ports
Uncontrolled port (EAPoL only)
Controlled port (everything else)
Before Authentication
?
USER
?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 8
Default Security with 802.1X
User/Device is Known
Identity-based Access Control • Single MAC per port
After Authentication
Looks the same as without 802.1X
Authenticated User: Sally
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
Having read your mind Sally, that is true, unless you apply an authorization, access is wide open. We can restrict access via dynamic VLAN
assignment or downloadable ACLs
?
Authenticated Machine: XP-ssales-45
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 9
Identity and Authentication 802.1X, EAP, and RADIUS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 10
A Closer Look at 802.1X
SSC
EAP ID-Request
EAP ID-Response RADIUS Access-Request
[AVP: EAP-Response: Alice]
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
Supplicant Authenticator
Authentication Server
Layer 2 Point-to-Point Layer 3 Link
RADIUS Access-Request
[AVP: EAP-Response: PEAP]
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-nnn]
EAP-Request:PEAP
EAP-Response: PEAP
EAP Success
EAPoL Start
Multiple
Challenge-
Request
Exchanges
Possible
Port Unauthorized
Port Authorized
Port Unauthorized
EAPoL Logoff
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 11
What Does EAP Do?
Establishes and manages connection
Allows authentication by encapsulating various types of authentication exchanges
• Actual authentication exchanges are called EAP Methods
Provides a flexible link layer security framework
• Can run over any link layer (PPP, 802, etc.)
Defined by RFC 3748
802.1X Header
Ethernet Header
EAP Payload RADIUS
IP Header
UDP
EAP Payload
Supplicant
AuthenticationServer
RADIUS
Authenticator
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 12
EAP Authentication Methods
• MD5: uses MD5 based challenge-response for authentication
• LEAP: username/password authentication
• EAP-MSCHAPv2: username/password MSCHAPv2 challenge-response authentication
Challenge-response-based
• EAP-TLS: x.509 v3 PKI certificates and the TLS mechanism for authentication
Cryptographic-based
• PEAP: encapsulates other EAP types in an encrypted tunnel
• EAP-TTLS: encapsulates other EAP types in an encrypted tunnel
• EAP-FAST: designed to not require client certificates
Tunneling methods
• EAP-GTC: generic token and OTP authentication
• EAP-SIM : SIM-based authentication Other
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 13
Tunneling Methods
Some EAP methods setup an encrypted tunnel and pass credentials through the tunnel
Anonymous outer identity - Provides the ability to completely obfuscate the user‘s credentials
SSC / ACS – Yes
Windows Native / IAS - No
Some EAP methods require an EAP method inside the tunnel (PEAP and FAST)
Some EAP methods do not require an EAP method inside the tunnel (TTLS) – used with legacy RADIUS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 14
EAP Protocols: Feature Support
EAP-TLS PEAP EAP-FAST
Single Sign-on Yes Yes Yes
Login Scripts (Active Directory) Yes Yes Yes
Password Expiration (AD) N/A Yes Yes
Client and OS Availability SSC, XP, Win7
and Others SSC, XP, Win7
and Others SSC, Win7 and
Others
MS DB Support Yes Yes Yes
LDAP DB Support Yes Yes Yes
OTP Support No Yes Yes
Off-line Dictionary Attacks No No No
Server Certificates Required Yes Yes No
Client Certificates Required Yes No No
Computing Impact High Medium Low
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 15
Factors that Drive EAP Method
• Certificate Authority deployment may drive EAP type
• Two factor authentication may require EAP-TLS
• Security vs. Convenience Trade-offs
Enterprise security policy
• Windows supports EAP-TLS, PEAP w/EAP-MSCHAPv2, PEAP w/EAP-TLS
• 3rd party supplicants support a large variety of EAP types, but not all
Client support
• RADIUS servers support a large variety of EAP types, but not all
Authentication server support
• PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in MSCHAPv2 format
• Not every identity store supports all the EAP types
Identity store
Use as many methods as needed depending on devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 16
Identity & Authentication: Who (or What) Authenticates?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 17
Problem Statement
Who should the network authenticate ?
A user using a device
A device
Both the user and the device
Device boot process and network connectivity assumption
Boot without using network resource - Standalone
Boot from the network – Xterm, NetPC, PXE
Boot and use network resources – networked
Network File System
Managed devices : Connection to LDAP, Active Directory
Device health check : Patch level checker, Central AV system
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 18
Example: Network Assumption Microsoft Windows
Power On
Kernel Loading Windows HAL Loading Device Driver Loading
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)
Establish Secure Channel to AD
(LDAP, SMB)
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
GPO based Startup Script Execution
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
GINA
Components that depend on network connectivity
Kerberos Auth (User Account)
User GPOs Loading (Async)
GPO based Logon Script Execution (SMB)
Inherent Assumption of Network Connectivity
Earliest Network Connectivity with User Auth Only
Components broken with 802.1X user authentication only
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 19
802.1X Device and User authentication
User authentication ONLY
Possible when no dependency of the device used regarding network resources
Can run user script to access network resources post login.
Be careful, this can breaks Microsoft group and system policies
Device authentication ONLY
Mandatory as soon as exist dependency of Network resources
Authorization is link to the device; not the user using the device
Device and User
Authorization is highly flexible
Advanced features needed on supplicants
Synchronization needed with others applications & process on the client PC : DHCP, DNS, NFS, etc..
Switches contexts when going from one to the other
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 20
MICROSOFT Windows Example User and Device Authentication
Power Up
Apply Computer GPOs
Apply Computer
GPOs
Network Connectivity
Point of 802.1X Authorization
User Authentication
Power Up
Load NDIS
Drivers DHCP
Setup Secure
Channel to DC
Update GPOs
Present GINA
Windows Domain
Auth
802.1X User Auth
* No Connectivity to Domain Controller Until User Logs In
Machine Authentication
Power Up
Load NDIS
drivers DHCP
Setup Secure
Channel to DC
Update GPOs
Present GINA
802.1X Machine
Auth
Windows Domain
Auth
* 802.1X Early in Boot Process
Load NDIS
Drivers DHCP
Setup Secure
Channel to DC
Update GPOs
Apply Computer
GPOs
Present GINA
802.1X Machine
Auth
User + Machine Authentication
Windows Domain
Auth
802.1X User Auth
DHCP
* Users Can Be Individually Authenticated
Apply Computer
GPOs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 21
Configuring Machine and/or User Auth Microsoft Windows Example
Cisco SSC
Can be configured per profile
Centrally configured via Admin tool
Deployed via MSI
Mode is supplicant dependent
Native MS supplicants pre-Win7
Controlled by registry keys (SP2) or XML (SP3 & Vista) & network properties authentication tab
Can be set by GPO (Wireless only for XP, Wired and Wireless for Vista)
Win7 supplicants
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 22
Identity & Authentication: 802.1X Supplicants
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 23
802.1X Supplicants
Windows Win7— Yes
Windows Vista —Yes
Windows XP—Yes
Windows 2000—Yes
Windows CE / Mobile — Yes
Linux —Yes
HP-UX —Yes
Solaris —Yes
HP printers & switches —Yes
Apple OS X —Yes
Apple iPhone — Yes
Nokia —Yes
Cisco IP Phone —Yes
Cisco AP —Yes
Cisco Switches — Yes (12.2.50)
Windows HP Jet Direct
Solaris
7921
Apple
IP Phones
WLAN APs
Pocket PC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 24
PC Supplicants Types
Operating System – MAC OS X, XP Wireless Zero Config, Vista Native, Win7 Native
Hardware Specific – Intel Proset, Lenovo Access Connections
Premium – Cisco Secure Services Client, Juniper Odyssey
Open Source –
Xsupplicant (Open 1X) – http://open1x.sourceforge.net/
WPA supplicant - http://hostap.epitest.fi/wpa_supplicant/
Secure W2 - http://www.securew2.com/
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 25
Xsupplicant
Open Source
No additional up-front cost
Username / Password
Manual Connect
User Authentication
Server Validation
Wired & wireless
PEAP, TTLS, FAST, and MD5
Application –
Simple Authentication
No outside support required
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 26
WPA Supplicant
Open Source
Linux, BSD, Mac OS X, and Windows
No additional up-front cost
Wired & wireless
EAP-TLS EAP-PEAP/MSCHAPv2-TLS–GTC-OTP-MD5 EAP-TTLS/MD5-GTC-OTP-MSCHAPV2-TLS-PAP-CHAP EAP-SIM EAP-AKA EAP-PSK EAP-FAST EAP-PAX EAP-SAKE EAP-IKEv2 EAP-GPSK (experimental) LEAP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 27
Secure W2
Open Source
Windows suite with Windows Mobile 5/6 or Pocket PC 2003/2005 support and 2000/XP/Vista
Support available
Wired & wireless
Plug-in in existing Microsoft 802.1X/EAP(EapHost)
Support of EAP-TTLS and EAP-GTC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 28
Microsoft Native Supplicant: XP SP2
Integral to operating system
nothing to deploy except configuration
No additional cost, licensed as part of OS
Same service controls wireless and wired 802.1X
Wireless Zero Config (WZC)
Integrated machine and user profile
Registry changes required for proper operation of wired 802.1X
EAP Types – PEAP/MSCHAPv2, PEAP/TLS, TLS, MD5
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 29
Vista & XP SP3 Native Supplicant
Integral to operating system
nothing to deploy except configuration
No additional cost, licensed as part of OS
Separate services for wireless and wired 802.1X
Wireless Zero Config (WZC)
Wired AutoConfig (DOT3SVC)
Machine & User Authentication
PEAP-MSCHAPv2,PEAP-TLS, EAP-TLS
Recommendations
Use NDIS 6 NIC drivers
Vista SP1
Auth Fail Hot-Fix:
http://support.microsoft.com/default.aspx?scid=kb;en-us;957931&sd=rss&spid=11712
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 30
Windows 7 Native
Integral to operating system
nothing to deploy except configuration
No additional cost, licensed as part of OS
Separate services for wireless and wired 802.1X
Wireless Zero Config (WZC)
Wired AutoConfig (DOT3SVC)
Machine & User Authentication
PEAP-MSCHAPv2,PEAP-TLS, EAP-TLS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 31
Mac OSX - 10.6
Wired and wireless support
Username / Password, Certificates, & Tokens
Machine or User Authentication
Broad EAP type support
No up-front licensing cost
Apple supported
End-user focused
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 32
Intel Proset
Driver Intimacy
Adapter settings
Radio On / Off
No additional up-front costs
Username / Password, Soft Certificates, Smartcards, & Tokens
Broad EAP Type Support
Wireless Only
Supported by Intel
Requires Intel NIC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 33
Cisco Secure Services Client
Wired and wireless support
Username / Password, Soft Certificates, Smartcards, & Tokens
Machine & User Authentication
Broad EAP type support
Up-front licensing cost
Cisco supported
End-user focused
Applications –
Enterprise environments
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 34
Identity & Authentication Non-802.1X Capable Devices & Users
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 35
Default Security: Consequences
Default 802.1X Challenge
Devices w/out supplicants Can‘t send EAPoL
No EAPoL = No Access
Offline
No EAPoL / No Access
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
One Physical Port ->Two Virtual ports
Uncontrolled port (EAPoL only)
Controlled port (everything else)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 36
MAC Authentication Bypass (MAB) for Non-802.1X Devices
MAC: 00.0a.95.7f.de.06
EAP-Identity-Request
Switch Fallbacks to MAB
Switchport is open for one packet to learn MAC
RADIUS-Access Request:
MAC: 00.0a.95.7f.de.06
RADIUS-Access Accept
Link up
1
4
EAP-Identity-Request 2
EAP-Identity-Request 3
5
6
7
No R
esp
on
se
802.1X times out
Switch Learns MAC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 37
802.1X with MAB Deployment Considerations
MAB enables differentiated access control
MAB leverages centralized policy on AAA server
• Default timeout is 30 seconds with three retries (90 seconds total)
• 90 seconds > DHCP timeout.
Dependency on 802.1X timeout -> delayed network access
MAB requires a database of known MAC addresses
Guest VLAN
Printer VLAN
MAC Database
RADIUS LDAP ACS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 38
Considerations: MAC Databases Method What is it? Advantages Problems Use Case
OUI
Wildcards
Use 3-Byte
Identifier
Easy to add
lots of devices
No granularity ‗Add all HP
printers‘
ACS Local
database with
Radius Server
Readily
available
No central
repository for all
IDs
‗Radius only‘
AD Central
Directory
Service
Central
repository
Should have
support for
[ieee802] object,
password
complexity
‗All in one‘
NAC
Profiler
Automatic
building of
MAC DB
Automated Need certain
methods to make it
reliably identify
devices
‗handle
unknown
devices‘
LDAP Central
directory
Standards
based
Manually populated
and maintained
‗leverage
existing db‘
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 39
DEMO Time
MAB
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 40
Switch
DHCP/DNS AAA Server
Web Authentication for non-802.1X User
―Flex Auth‖: Multiple Triggers
Single Port Config
•802.1X Timeout
•802.1X Failure
•MAB Failure 1
Port Enabled,
ACL Applied 2
Host Acquires IP Address, Triggers Session State 3
Host Opens Browser
Login Page
Host Sends Password
4
Switch Queries AAA Server
AAA Server Returns Policy
Server
authorizes
user 5
Switch Applies New ACL Policy 6
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 41
802.1X with Web-Auth Deployment Considerations
Web-Auth is only for users (not devices)
• browser required
• manual entry of username/password
Web-Auth can be a fallback from 802.1X or MAB.
Web-Auth and Guest VLAN* are mutually exclusive
Web-Auth supports ACL authorization only
Web-Auth behind an IP Phone requires Multi-
Domain Authentication* (MDA)
* To be discussed in later sections
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 42
DEMO Time
Web-Auth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 43
Identity & Authentication Further Restrictions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 44
Multiple MACs not allowed to ensure
validity of authenticated session
• VMWare, Phones, Hubs, Grat Arp…
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
VM
Default Security: More Consequences
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 45
Phase 0: Pre-Deployment
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 46
Fictional Company, publishing house.
Employees, free lancers, guests are using the corporate network infrastructure.
The same infrastructure is used for other devices as well.
‘One network to support them all.’
No access control in place as of today, everybody with physical access can connect.
The CIO decided to limit access. Only known devices must be allowed on the network
Introduction to ACME Corp.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 47
IP Phone G/W
Managed asset
Finance dept.
12:00pm
Printer
Agentless asset
MAC: B2 CF 81 A4 02 D7
Laptop
Managed asset
Main Laboratory
11am
Security Camera G/W
Agentless asset
MAC: F5 AB 8B 65 00 D4
Rossi Barks
Employee
HR
Wireline
11am
Francois Didier
Consultant
HQ - Strategy
Remote Access
6pm
Bill Graves
Employee
R&D
Wireless
2pm
Frank Lee
Guest
Wireless
9am
Susan Kowalski
Employee
CEO
Remote Access
10pm
Sergei Balazov
Contractor
IT
Wireline
10am
Vicky Sanchez
Employee
Marketing
Wireline
3pm
GLOBAL WORK FORCE Employees, Contractors, Phones, Printers
SENSITIVE RESOURCES Network, Devices & Applications
MULTIPLE ACCESS METHODS From different devices, location & time
ALL NEED CONTROLLING
ACME’s Business Environment
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 48
ACME’s Goals
The Mission:
Prevent Anonymous / Unauthorized Access
Increase Network Visibility
Solution deployment should be transparent to end users
Employee end-user behavior should not change.
Legacy devices must not be locked out.
Best authentication method based on device capabilities should be chosen.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 49
ACME’s Environment: Devices
PC devices are primarily running in a Microsoft Windows environment.
IP Telephony is Cisco, 50% are 802.1X ready and support EAP-TLS / certificate based authentication. No Certs deployed so far (MICs only).
Printers are not-802.1X capable, must be authenticated via their MAC address.
All sorts of other (legacy) devices from freelancers (Macs, Linux machines, …) and generic devices (e.g. building control).
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 50
ACME’s Environment: Network
ACME recently did a refresh on their access network.
Devices are up-to-date and are running latest available code.
Devices are configured according to L2 best practice (DHCP snooping, DAI, VLAN != VVLAN != Management VLAN).
For conference rooms, only corporate owned and authorized devices may be cascaded to provide additional ports (Extended Edge concept).
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 51
ACME’s Environment: Back-End
Windows 2008 Active Directory
Environment managed via AD Group Policy Objects (GPOs)
GPOs enabled centralized management & distribution of policy for users, computers and other objects in the directory.
Certificate Infrastructure is in place, Microsoft CA running on AD.
ACS 5.1 will be used to provide AAA services.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 52
ACME’s Environment: Credentials
Corporate machines are registered with the Windows domain
Computers & Users log in with Name and Password to the domain
Additional authentication is enforced at the application layer
No authentication at all for all other devices
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 53
Considerations
What Authentication Method(s) should be used?
Which Operating Systems are to be supported?
Where are Credentials stored?
One Store vs. Many Stores
How to Build and Manage a MAC Database?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 54
Considerations: Authentication Method
Method What’s required? Pros Cons
802.1X Supplicant
Credentials
Highest Security Supplicant may not be
available on every
platform
MAB MAC address
database
Works for all
devices
Weak, can be easily
snooped, DB needs to
be created and
maintained
Web-Auth Portal (on switches
or on dedicated
NGS)
No supplicant
needed, every
device w/
browser can be
used
Relies on initial
connectivity, VLAN / IP
address change after
authentication is
problematic
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 55
Further Considerations for 802.1X Authentication: EAP Methods
Method What’s required? Pros Cons
EAP-MD5 Username,
Password
Most devices with
802.1X support
do at least EAP-
MD5
Offline dictionary
attack, one-way
authentication
EAP-TLS Certificate
distribution
Most secure
method
Certificate cost,
distribution, renewal
PEAP Username,
Password
Readily available
in Windows
environments
Single factor
authentication
PEAP
Chosen by ACME for
operational efficiency
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 56
Considerations: Operating Systems
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 57
Considerations: Operating Systems
OS (corporate
asset)
Supplicant Methods
supported
Remark
Windows XP
and newer
Built-in or 3rd
party
MD5, TLS, PEAP No MD5 w/ Vista
and newer
Older Windows No support MAB or WebAuth
Apple Mac OS X Built-in TTLS, TLS, FAST,
PEAP, LEAP, MD5
802.1X-capable
Cisco phones
Built-in MD5, FAST, TLS
Other devices various various various
OS (non-
corporate asset)
Supplicant Methods
supported
Remark
All n/a MAB or WebAuth Guest Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 58
How?
Considerations: MAC Databases PCs Non-PCs
UPS Phone Printer AP
What to use?
OUI
Individual MAC address
Where to store?
Radius Server
Active Directory
LDAP
How to maintain?
Manually
(semi) Automatic
ACME’s Choice
Radius Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 59
CREDENTIAL STORE
EAP-TYPE
GUEST ACCESS
UNMANAGED DEVICES
ACME’s Starting Point
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 60
ACME Summary & Goal
Enforce admission control to wired network
Use central identity store, Active Directory
Control Plane is Radius
Provide coherent solution for all devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 61
Phase 1: Monitor Mode
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 62
ACME’s Goals : Phase 1
Gain visibility of what‘s currently on the network
Managed Assets
Agentless Assets
Unknown Devices
Validate components are functioning as expected
Identify non-functioning components and correct
Be Transparent to Users and Current Network
ACME‘s Goals Can Be Met With
Monitor Mode
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 63
Devices w/out supplicants
Can‘t send EAPoL No EAPoL = No Access
Offline
No EAPoL / No Access
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)
Default 802.1X Challenge
Default Security: Consequences
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 64
Open Access (No Restrictions)
interface fastEthernet 3/48 authentication port-control auto authentication open dot1x pae authenticator mab
Authentication Performed No Access Control
Changing the Default Authorization: ―Open Access‖
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 65
Assumed to Be Malicious
• Hubs, Gratuitous ARPs, VMWare
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
VM
Multiple MACs per Port
Default Security: Consequences
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 66
Each MAC authenticated
• 802.1X or MAB
Multiple MACs on Port
interface fastEthernet 3/48 authentication port-control auto authentication host-mode multi-auth authentication open dot1x pae authenticator mab
VM
Modifying the Default Security ―Multi-Auth‖
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 67
Enabling Monitor Mode – RADIUS Server
Configure PKI and Identity Servers
Create 802.1X & MAB Policies
- Every user in AD is
permitted
- Separate Rules can be
used for reporting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 68
Roll out Root CA Cert to Managed Assets via GPO
Activate PEAP configuration for User authentication via GPO
Activate Wired Auth Service on Windows machines via GPO
Enabling Monitor Mode – Managed Assets
All managed assets should be provisioned before the switches are configured for access control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 69
DEMO Time
Managing 802.1X Parameters with Active Directory GPOs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 70
Phased Rollout
Deploy supplicant configuration components first
Configure RADIUS server second
Deploy switches third
Possibly start with one floor at a time
Validating via case load that monitor mode is working as expected
After successful floor rollouts expand to multiple floors or a building at a time
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 71
Monitor Mode: Monitoring
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 72
RADIUS accounting logs provide visibility: • Passed/Failed 802.1X/EAP attempts
• List of valid dot1x capable • List of non-dotx capable
• Passed/Failed MAB attempts • List of Valid MACs • List of Invalid or unknown MACs
TO DO Before implementing access control: •Confirm that all these should be on network •Install supplicants on X, Y, Z clients •Upgrade credentials on failed 802.1X clients •Update MAC database with failed MABs …
Monitor the network, see who‘s on, address future connectivity problems by installing supplicants and credentials, creating MAB database
Monitor Mode – Monitoring and Reporting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 73
RADIUS Authentication
ACME authentications can be monitored
View Trends of Passed (should be high)
View Trends of Failures (should be low)
View Trends of Unknown MAC Addresses (should start high and lower as MAC Addresses are added to the database)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 75
Active Monitoring
Network Visibility is not just about passed/failed authentications
The RADIUS server can have a session directory provided by RADIUS accounting.
This provides ACME with a view of all active sessions as the session enter and leave the network
This information can be used along with other security information for better incident response
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 76
802.1X with RADIUS Accounting
Supplicant 802.1X Process 1 Authenticate
2 Access-Accept
3 Accounting Request
RADIUS Process
2 EAPOL-Success
4 Accounting Response
PC Switch ACS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 77
802.1X with RADIUS Accounting
Similar to other accounting and tracking mechanisms that already exist using RADIUS
Can now be done through 802.1X
Increases network session awareness
Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.
Provides a means to map the information of authenticated
IOS
aaa accounting dot1x default start-stop group radius
Identity, Port, MAC, Switch
IP, Port, MAC, Switch
=
Switch + Port = Location
Identity IP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 78
Simple Homegrown Tools
Switches logs all passed/failed sessions via syslog
RADIUS servers typically all log information in plain text
Relatively easy to run scripts against this information to create monitoring views
Scripts can create database of mac addresses seen from the network
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 79
Simple Homegrown Tools
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 80
Monitoring With ACS 5.1 Tip: Interactive Viewer Is Your Friend Launch It, Then Right Click Inside the Report for Customization Options
Detailed Reports Are Lifesavers
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 81
ACS 5.1 Details Report
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 82
Monitor Mode: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Employees 802.1X Fail -> MAB
Sponsored Guest 802.1X Fail/Timeout ->
MAB Fail
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail
All
None (AAA server down)
Authorization Implementation
Enterprise Access Open authentication
Enterprise Access Open authentication
Enterprise Access Open authentication
Voice Access Open authentication
Enterprise Access Open authentication
Enterprise Access Open authentication
Enterprise Access Open authentication
Enterprise Access
Open authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 83
Low Impact Mode
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 84
ACME’s Goals: Phase 2
Maintain Visibility
Control Access to Sensitive Assets
Preserve Network Access for Managed Assets
Special Case: PXE boot
Preserve Current Network Architecture
No changes to VLAN infrastructure
ACME‘s Goals Can Be Met With
Low Impact Mode
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 85
Access Control & Clientless Devices
• MAB depends on 802.1X timeout
• Many devices are time-sensitive
• DHCP is especially finicky
The Timing Problem With MAB
• Provide access to time-critical services before authentication
• Continue to restrict access to other services until after authentication
The Low Impact Solution
• DHCP, DNS, TFTP
• This is enough for PXE devices to boot before MAB completes
ACME‘s Time-Critical Services
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 86
Low Impact: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Employees 802.1X Fail -> MAB or
Web-Auth Success
Sponsored Guest 802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Fail
All
None (AAA server down)
Authorization Implementation
Limited Access
Enterprise Access
Enterprise Access
Voice Access
Enterprise Access
Limited + Internet
Access
Limited Access
Limited Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 87
Open Mode (Pinhole) On Specific TCP/UDP Ports Restrict to Specific Addresses
EAP Allowed (Controlled Port) Download general-access ACL upon
authentication
Block General Access Until Successful 802.1X, MAB
or WebAuth
Pinhole explicit tcp/udp ports to allow desired
access
interface GigabitE 3/13 authentication port-control auto authentication open ip access-group PREAUTH in
Low Impact Implementation Limited (―Selectively Open‖) Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 88
dACLs Open Port After Authentication
Configure downloadable ACLs (dACL) for authenticated users
permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
SSC
PREAUTH
ACL
Switch dynamically substitutes endpoint‘s address
• Contents of dACL are arbitrary.
• Can have as many unique dACLs are
there are user permission groups
• Same principles as pre-auth port ACL
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 89
Low Impact: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Employees 802.1X Fail -> MAB or
Web-Auth Success
Sponsored Guest 802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Fail
All
None (AAA server down)
Authorization Implementation
Limited Access Pre-Auth ACL
Enterprise Access Permit-Any dACL
Enterprise Access Permit-Any dACL
Voice Access
Enterprise Access
Limited + Internet
Access
Limited Access
Pre-Auth ACL
Limited Access
Pre-Auth ACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 90
DEMO Time
PXE boot and Enterprise Access
pre-Auth ACL
dACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 91
Low Impact Mode: Flex Auth
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 92
Flexible Authentication: “Flex-Auth” One Configuration Fits Most
Configurable behavior after 802.1X timeout :
Configurable behavior after 802.1X failure:
Configurable order and priority of authentication methods
Configurable behavior before & after AAA server dies
Flex-Auth enables a single configuration for most use cases
1) Next-Method
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 93
802.1X Failure vs. 802.1X Timeout
An 802.1X failure occurs when the AAA server rejects the
request:
A timeout occurs when an endpoint can‘t speak 802.1X:
EAPoL Start
EAPoL Response Identity
EAPoL Request Identity
RADIUS Access Request
EAP Failure RADIUS Access Reject
SSC
EAPoL Request Identity
EAP Who?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 94
Default Behavior on 802.1X Timeout
After 802.1X times out, port automatically falls back to ―next-method‖ if another method is configured.
802.1X Timeout
802.1X
MAB
MAB fails
Web Auth
802.1X Timeout
802.1X
MAB
802.1X Timeout
802.1X
Web-Auth
802.1X & Web Auth 802.1X & MAB 802.1X, MAB, Web-Auth
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 95
Flex-Auth for 802.1X Failures Low Impact Mode
Configurable behavior after 802.1X timeout :
Configurable behavior after 802.1X failure:
Configurable order and priority of authentication methods
Configurable behavior before & after AAA server dies
Flex-Auth enables a single configuration for most use cases
1) Next-Method 1) Next-Method
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 96
?
Default Security After 802.1X Failure
All traffic except EAPoL is dropped
Before Authentication
?
After 802.1X Failure
All traffic except EAPoL is dropped
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 97
Why Provide Access to Devices that Fail?
Employees‘ credentials expire or get entered incorrectly
As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.
Many enterprises require guests and failed corporate assets get conditional access to the network
802.1X Certificate Expired!
802.1X
User Unknown!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 98
?
After 802.1X Failure
6506-2(config-if)#authentication event fail action next method
6506-2(config-if)#authentication order dot1x mab
User Authenticated via MAB
Access determined by MAB result
Supplicant expected to ―fail open‖
Allow single packet
to learn MAC
MAC
Failed Auth with Flex-auth: Next-method
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 99
802.1X Failure with Next-Method
When port is configured to fail to next method, port falls back to ―next-method‖ in the following order.
802.1X Failure
802.1X
MAB
MAB fails
Web Auth
802.1X Failure
802.1X
MAB
802.1X Failure
802.1X
Web-Auth
802.1X & Web Auth 802.1X & MAB 802.1X, MAB, Web-Auth
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 100
Flex-Auth Order & Priority
Configurable behavior after 802.1X timeout :
Configurable behavior after 802.1X failure:
Configurable order and priority of authentication methods
Configurable behavior before & after AAA server dies
Flex-Auth enables a single configuration for most use cases
1) Next-Method 1) Next-Method
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 101
Flex-Auth Sequencing
By default, the switch attempts most secure auth method first.
802.1X Timeout /
Fail
802.1X
MAB
MAB fails
Web Auth
Timeout can mean significant delay before MAB.
MAB fails
MAB
802.1X
802.1X Timeout
Web Auth
Alternative order does MAB on first packet from device
Default Order: 802.1X First Flex-Auth Order: MAB First
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 102
Flex-Auth Order with Flex-Auth Priority
Priority determines which method can preempt other methods.
By default, method sequence determines priority (first method has highest priority).
If MAB has priority, EAPoL-Starts will be ignored if MAB passes.
Default Priority: 802.1X ignored after successful MAB
MAB fails
MAB
802.1X
EAPoL-Start Received M
AB
p
asses Port
Authorized by MAB
Flex-Auth Priority: 802.1X starts despite successful MAB
802.1X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 103
Low Impact Mode: Web Auth
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 104
What ACME Expects for Web Auth
Guest
Customizable
Login Page
Sponsored
Guest Credentials
Existing Credential Stores
Parity for
Wired / WLAN
Centralized Web
Page Management
Active Directory
NAC Guest Server
Employee
Flexible
Access Policies
ACS 5.1
Integrated Local Web Authentication
Centralized Accounting
802.1X/MAB
Compatibility
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 105
Introducing…Web-Auth’s New Best Friend
Multi-Function Standalone Appliance
Customizable Hotspot Hosting
Sponsored Guest Access Provisioning, Verification, Management
NAC Guest Server (NGS)
Product Bulletin: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_bulletin0900aecd806f3235.html Data Sheet: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 106
Basic Wired: Distributed Login Pages
Fixed Text
Text only ip admission auth-proxy-banner http ^C Here is what the auth-proxy-banner looks like ^C
Default (Auth-Proxy Banner)
Customized
4 files, 8KB max each
ip admission proxy http login expired page file bootflash:expired.html
ip admission proxy http login page file bootflash:login.html
ip admission proxy http success page file bootflash:success.html
ip admission proxy http failure page file bootflash:fail.html
Images must be embedded or external
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 107
Enhanced Web Auth – Centralized Login Page
1. Guest opens Web browser
2. Web traffic is intercepted by switch and redirected to Guest Server.
3. Guest Server returns centralized login page
1. 2.
4.
switch
Cisco NAC Guest Server
3.
New with NGS 2.0.2!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 108
Web Authentication Can Be Used For Guests and/or Employees
Active Directory
RADIUS
Proxy
Guest
Employee
NAC Guest Server
• ACS can use RADIUS proxy to validate sponsored guest credentials on
NGS
• ACS can query other ID stores (like AD) to validate employee credentials
• ACS policy can assign different levels of access to Guest and Employee
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 109
Low Impact: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Employees 802.1X Fail -> MAB or
Web-Auth Success
Sponsored Guest 802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Fail
All
None (AAA server down)
Authorization Implementation
Limited Access Pre-Auth ACL
Enterprise Access Permit-Any dACL
Enterprise Access Permit-Any dACL
Voice Access
Enterprise Access
Permit-Any dACL
Limited + Internet
Access
Permit-Internet dACL
Limited Access
Pre-Auth ACL
Limited Access
Pre-Auth ACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 110
DEMO Time
Next-Method for 802.1X Timeout & Fail
Web-Auth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 111
Low Impact Mode: IP Telephony
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 112
802.1X & IPT: A Special Case
Voice Ports
With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X
An access port able to handle two VLANs
Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X
Auxiliary or Voice VLAN Identifier (VVID) / ―Authenticated‖ by CDP
Hardware set to dot1q trunk
Tagged 802.1q
Untagged 802.3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 113
IPT & 802.1X: Fundamental Challenges
113
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Two devices per port 1
IPT Breaks the Point-to-Point Model
Security Violation PC Link State is Unknown to Switch 2
?????
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
―The operation of Port Access Control assumes that the Ports on which it operate offer a point-to-point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per-Port basis.‖
IEEE 802.1X rev 2004
One device per port 1
Link State Dependency 2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 114
First Solution: CDP Bypass
Data VLAN
Voice VLAN
CDP
interface fastEthernet 3/48 switchport voice vlan 10 authentication port-control auto dot1x pae-authenticator
Benefits Deployment Considerations
Access to voice VLAN after phone sends CDP CDP-capable hackers get full access, too.
Default behavior: Cisco IP Phones get access
if voice VLAN configured
No visibility, No access control
Works for all Cisco phone models Incompatible with dynamic VVID,
downloadable ACLs (dACLs), PC Web Auth
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 115
Second Solution: Multi-Domain Authentication (MDA) Host Mode
interface fastEthernet 3/48
authentication host-mode multi-domain
Single device per port Single device per domain per port
IEEE 802.1X MDA
• Phones and PCs use 802.1X or MAB
• MDA is a subset of Multi-Auth
Data Domain
Voice Domain
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 116
MDA with MAC Authentication Bypass (MAB)
00.18.ba.c7.bc.ee
EAP-Identity-Request
Fallback to MAB
Learn MAC
RADIUS-Access
Request: 00.18.ba.c7.bc.ee
RADIUS-Access Accept
device-traffic-class=voice Voice VLAN Enabled
√
Link up
EAP-Identity-Request
EAP-Identity-Request
0:00 0:01 0:05 0:10 0:20 0:30
0:00 0:01 0:05 0:10 0:20 0:30
0:00 0:01 0:05 0:10 0:20 0:30
Timeout
Timeout
Timeout
No Response
No Response
No Response
Benefits Deployment Considerations
No client, no credential needed -> Works
for all Cisco phone models
Dependency on AAA server
Enables visibility, access control Must create & maintain phone MAC database
Compatible with 802.1X features Default 802.1X timeout = 90 seconds latency
(mitigated by Low Impact Mode)
Layer 2 Point-to-Point Layer 3 Link
―Voice VSA‖
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 117
MDA with 802.1X
Layer 2 Point-to-Point Layer 3 Link
EAPoL Start
Authenticator AAA Server Supplicant
EAPoL Request Identity
EAPoL Response Identity
EAP-Response: TLS
RADIUS Access Request
[AVP: EAP-Response: CP-79xx-xxxxxxxx
EAP-Request: TLS Client Hello
EAP Success
RADIUS Access-Accept
[AVP: device-traffic-class=voice]
[AVP: voice VLAN 10, dACL-n]
RADIUS Access-Challenge
[AVP: EAP-Response: TLS]
RADIUS Access Request
[AVP: EAP-Request: TLS Server Hello]
Actual
Exchanges
depend on EAP
Method (MD5,
TLS, FAST)
Benefits Deployment Considerations
Strong Authentication with Minimal Delay Choice of EAP Method impacts deployability
Can be deployed without touching the phone
or creating a database.
Requires: 7970G, 79x1, 79x2, 79x5 with
X.509 cert support & firmware 8.5(2)
Compatible with 802.1X features AAA server dependency
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 118
MDA in Action
3750-1(config-if)#do sh dot1x int G1/0/5 details
<...>
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 0014.5e42.66df
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = Dot1x
Authorized By = Authentication Server
Domain = VOICE
Supplicant = 0016.9dc3.08b8
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = MAB
Authorized By = Authentication Server
Either 802.1X or MAB for phone
Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC
PC Authenticated
by 802.1X
Phone authenticated
by MAB
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 119
Summary: Multiple Hosts per Port
Host Mode Enforcement Deployment Considerations
Single Single mac address per port • Second mac address triggers a security violation • VMs on the host must share the same mac
address. • CDP Bypass is the only IPT solution.
Multi-Domain Auth (MDA)
One Voice Device + One Data Device per port
• Same as single host mode except phone authenticates
• Supports third party phones
Multi-Auth Superset of MDA with multiple Data Devices per port
• Authenticates every mac address in the data domain.
• VMs on the host may use different mac addresses.
• One VLAN (default port VLAN) for all devices on the port
Multi-Host One authenticated device allows any number of subsequent mac addresses.
• Not recommended • VMs on the host may use different mac
addresses. • CDP Bypass is the only IPT solution.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 120
Low Impact: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones
802.1X or MAB Success
Employees 802.1X Fail -> MAB or
Web-Auth Success
Sponsored Guest 802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail -> Web-Auth
Fail
All
None (AAA server down)
Authorization Implementation
Limited Access Pre-Auth ACL
Enterprise Access Permit-Any dACL
Enterprise Access Permit-Any dACL
Voice Access MDA with Voice VSA +
Permit-Any dACL
Enterprise Access
Permit-Any dACL
Limited + Internet
Access
Permit-Internet dACL
Limited Access
Pre-Auth ACL
Limited Access
Pre-Auth ACL
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 121
Cisco IP-Phone 802.1X
Ph
on
e B
oo
ting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 122
Cisco IP-Phone 802.1X
Ac
ce
ss
Via
the
Se
cu
rity
Se
tting
s M
en
u
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 123
Cisco IP-Phone 802.1X
80
2.1
X O
ff by
De
fau
lt
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 124
Cisco IP-Phone 802.1X
Se
t EA
P-M
D5
Pa
ss
wo
rd
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 125
Cisco IP-Phone 802.1X
De
vic
e ID
mu
st =
AC
S U
se
r ID
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 126
Checking Status
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 127
IPT & 802.1X: The Link-State Problem
127
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
B Security Violation
S:0011.2233.4455
S:6677.8899.AABB
1) Legitimate users cause security violation
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
A Security Hole
S:0011.2233.4455
S:0011.2233.4455
2) Hackers can spoof MAC to gain access without authenticating
A
S:0011.2233.4455
F0/2 authorized for 0011.2233.4455 only
0011.2233.4455 already authorized on F0/2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 128
EAPol-Logoff
Partial Solution: Proxy EAPoL-Logoff
128
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3SSC
Domain = DATA
Supplicant = 0011.2233.4455
Port Status = AUTHORIZED
Authentication Method = Dot1x
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATA
Port Status = UNAUTHORIZED
A
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
SSC
Domain = DATA
Supplicant = 6677.8899.AABB
Port Status = AUTHORIZED
Authentication Method = Dot1x
B
Caveats: • Only for 802.1X
devices behind phone
Requires:
Logoff-capable Phones
Session cleared
immediately by
proxy EAPoL-Logoff
PC-A Unplugs
PC-B Plugs In
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 129
Partial Solution: Inactivity Timeout Options
129
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATA
Supplicant = 0011.2233.4455
Port Status = AUTHORIZED
Authentication Method = MAB
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATA
Port Status = UNAUTHORIZED
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATA
Supplicant = 0011.2233.4455
Port Status = AUTHORIZED
Authentication Method = MAB
Vulnerable to security
violation and/or hole
Device
Unplugs
Inactivity Timer
Expires
Session cleared.
Vulnerability closed.
interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto authentication timer inactivity [300 | server] mab
Caveats:
Quiet devices may have to re-
auth; network access denied
until re-auth completes.
Still a window of vulnerability.
3K: 12.2(50)SE*
4K: 12.2(50)SG
6K: 12.2(33)SXI
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 130
Wiring Closet
MAC Addr Switchport
CAM TABLE Office
Conference Room
ACS - AAA RADIUS
1 PC Connects and Authenticates
2 CAM Table updated (MAC/Port)
PC MAC: 00-1C-25-BA-6D-3B
Gigabit Ethernet 1/0/1 00-1C-25-BA-6D-3B 3 PC Moved to new location
Gigabit Ethernet 1/0/14 4 PC Authenticates
5 Previous Session deleted and CAM
Table updated with new entry
Intermediary Deice
00-1C-25-BA-6D-3B
Partial Solution: MAC Move
Best Practice: Combine MAC Move with Inactivity Timer
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 131
Full Solution: CDP 2nd Port Notification
131
CDP Link Down
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATA
Supplicant = 0011.2233.4455
Port Status = AUTHORIZED
Authentication Method = MAB
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATA
Port Status = UNAUTHORIZED
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
SSC
Domain = DATA
Supplicant = 6677.8899.AABB
Port Status = AUTHORIZED
Authentication Method = Dot1x
Phone sends link
down TLV to switch.
Device A Unplugs
Device B Plugs In
Link status msg addresses
root cause
Session cleared immediately.
Works for MAB, 802.1X, and
Web-Auth.
Nothing to configure
IP Phone: 8.4(1)
3K: 12.2(50)SE
4K: 12.2(50)SG
6K: 12.2(33)SXI
id-4503#sho cdp neigh g2/1 detail
-------------------------
Device ID: SEP0015C696E22C
Entry address(es):
IP address: 10.1.200.10
Platform: Cisco IP Phone 7971, Capabilities: Host
Phone Two-port Mac Relay
Interface: GigabitEthernet2/1,
Port ID (outgoing port): Port 1 Holdtime : 168 sec
Second Port Status: Down
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 132
DEMO Time
CDP 2nd Port Notifications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 133
Phase 3: High Security Access Control
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 134
Phase 3: ACME Gets Acquired by Widget, Inc.
New Security Policy & Network Requirements:
VLAN Segmentation
• Engineers on the ENG VLAN
• Machines on MACHINE VLAN
• Employees/managed assets on DATA VLAN.
• Unauthenticated devices on RESTRICTED VLAN only.
Widget‘s Goals Can Be Met With High Security Mode
Branch Survivability • ―fail open‖ when AAA server is unreachable.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 135
How this will happen
Policy Change Solution Change
VLAN Segmentation
Dynamic Identity-based VLAN
assignment
No unauthenticated traffic on DATA
VLAN
Open mode -> Closed Mode
Unauthenticated devices on
RESTRICTED VLAN only
Local authorization (AuthFail
VLAN, Guest VLAN)
Branch Survivability Critical Auth VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 136
High Security: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Engineers 802.1X Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail
All
None (AAA server down)
Authorization Implementation
None
Enterprise Access
Enterprise Access
Voice Access
Engineer Access
Limited Access
Enterprise Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 137
Dynamic Authorization: VLAN Assignment
• Assigned VLAN is based on identity at time of authentication
• Identity can be individual or group
Identity-Based
• VLANs assigned by name (not number); allows for more flexible VLAN management
• Assigned VLAN must match switch configuration; mismatch results in authentication failure.
VLAN Name
• Usage for VLANs is specified in the IEEE 802.1X standard
• RFC 2868 defines tunnel attributes that AAA server uses to send to VLAN name to switch
Standards- Based
• [64] Tunnel-type—―VLAN‖ (13)
• [65] Tunnel-medium-type—―802‖ (6)
• [81] Tunnel-private-group-ID—<VLAN name>
Tunnel Attributes
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 138
Segmenting Users, Devices and Networks How to Extend IBNS Policy into the Network…
GRE tunnels and policy routing
VRF-Lite end-to-end—(virtual route forwarding)
VRF-Lite at the distribution with MPLS L3 VPNs at the core
MPLS L3 VPNs end-to-end
Use the Network to Provide Isolation and
Simplified Policy Enforcement
SiSi
SiSi
Dept: HR
Encrypted Voice
SiSi
Guest
Internet
Dept 1 Dept: ENGR
“Guest” VLAN Tunneled to Internet DMZ
VoIP on an Ultra-Secure
Segment
Overlapping Address Space in Dept-HR and Dept-ENGR Can Co-Exist
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 139
802.1X User Distribution Enhances Dynamic VLAN Assignment
Addresses Two Use Cases:
Allow mapping the Radius provided VLAN name to different VLANs on different switches (no
need to re-configure Radius provided VLAN name).
Allow distribution of Radius provided VLAN to multiple different VLANs locally available on the same logical switch (load balancing) (reduces broadcast
domain)
SW1
SW2
VLAN 40 ENG-GROUP-1 VLAN 41 ENG-GROUP-2 VLAN 42 ENG-GROUP-3
VLAN 30 ENG-DATA-SW2
VLAN 20 ENG-DATA-SW1
Large Number of Ports
Different VLANs on Different Switches
ENG-DATA
ENG-DATA
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 140
User Distribution “Mapping” Can Simplify Migration to Dynamic VLANs
Allows flexible adoption in existing environments No need to reconfigure existing VLANs Simplifies Policy in AAA Server
AAA Server
SW1 SW2
VLAN Name Number
corporate 30
…. ….
802.1X
30
VLAN Name Number
corporate-2 40
…. ….
VLAN Group Number
corporate 40
…. ….
802.1X
40
User VLAN
Alice corporate Traditional VLAN assignment
is by VLAN name User distribution assigns by VLAN group (or name)
AAA Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 141
User Distribution: “Distribution”
Allows highly scalable 802.1X-based VLAN assignment in a large scale campus LAN deployment
VLAN 22 corp-3
Attribute: corporate
AAA Server AAA Server
high port density
VLAN 21 corp-2
VLAN 20 corp-1 VLAN 20
VLAN 21
VLAN 22 Evenly Distributed
Algorithm
Dist
User
RADIUS corporate
Radius Attribute: corporate maps to VLAN 20, 21 & 22
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 142
Configuring VLAN groups
Switch(config)# vlan group <groupname> vlan-list <list of vlans>
<groupname>: Name for the VLAN group starting with an alphabet <list of VLANs>: Comma separated VLANs or a range of VLANs or a
single VLAN
Switch(config)#vlan group corporate vlan-list 4 Switch(config)#vlan group corporate vlan-list 40-50 Switch(config)#vlan group corporate vlan-list 12,52,75
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 143
High Security: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Engineers 802.1X Success
Machines 802.1X Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail
All
None (AAA server down)
Authorization Implementation
None Closed Mode
Enterprise Access Default DATA VLAN
Enterprise Access Default DATA VLAN
Voice Access Voice VLAN
Engineer Access ENG VLAN
Machine Access
Limited Access
Enterprise Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 144
User and Machine/Device Authorization
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 145
802.1X & Dynamic VLANs Deployment Considerations
*VSS removes this requirement
• Every access switch must support every assignable VLAN
• In multi-layer deployments, all these VLANs must be trunked to distribution layer.
• Every new VLAN will require a new subnet on every access switch (routed access & multi-layer*)
VLAN Proliferation
• Devices that change VLANs as a result of authentication MUST be capable of getting a new address on the new VLAN.
• Most supplicants CAN get a new address
• Most clientless devices CANNOT
• Even successful address changes can cause problems with end host functionality.
Address Changes
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 146 At This Point, DHCP Proceeds Normally
Forward Credentials to ACS Server
Accept
USER Login Req.
Send Credentials
ICMP Echo (x3) for Default GW from ―Old IP‖ as Soon as
EAP-Success Frame Is Rcvd
DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered)
DHCP-Discover (D=255.255.255.255)
Auth Successful (EAP—Success)
User VLAN Assignment
DHCP-NAK (Wrong Subnet)
ACS Device Identity Store
Active Directory
User
Device Authentication
User Authentication
Coping with VLAN Change DHCP Renewal - Microsoft Windows Example
Actual technique is supplicant dependent
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 147
VLAN Changes Can Disrupt Desktop Operation
In Legacy (pre-Vista) Microsoft environments, changing the VLAN can break user and/or machine GPOs.
Windows XP cannot re-negotiate secure connection with AD if IP address changes during GPO download.
What‘s a GPO? And why should I care about breaking it?
A Group Policy Object (GPO) is used to deliver and apply
configurations or policy settings to a set of targeted users and
computer within an Active Directory environment. Windows Admins
use GPOs for system compliancy and security enforcement , e.g.:
Network Device mapping
Applying Logon / Logoff scripts to workstations
Batch mechanism to trigger applications
Security compliance enforcement such as password rule, etc.
Breaking GPOs is a RPE (Resume Producing Event)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 148
“Ideal” Microsoft Boot Process If Only It Were This Easy
Power On
Kernel Loading Windows HAL Loading Device Driver Loading
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)
Establish Secure Channel to AD
(LDAP, SMB)
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
GPO based Startup Script Execution
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
GINA
Components that depend on network connectivity
Kerberos Auth (User Account)
User GPOs Loading (Async)
GPO based Logon Script Execution (SMB)
Machine Authentication
“Pre-Logon” User Authentication
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 149
Machine VLAN
Real Boot Process With Fast Logon Machine GPOs will Break with XP
Power On
Kernel Loading Windows HAL Loading Device Driver Loading
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)
Establish Secure Channel to AD
(LDAP, SMB)
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
GPO based Startup Script Execution
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
Kerberos Auth (User Account)
User GPOs Loading (Async)
802.1X Machine Auth
GINA
802.1X User Auth
Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
GPO based Logon Script Execution (SMB)
GINA
User VLAN
X X X
Fast Logon Optimization
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 150
Machine VLAN
Real Boot Process With Race Conditions User GPOs can Break with XP
Power On
Kernel Loading Windows HAL Loading Device Driver Loading
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)
Establish Secure Channel to AD
(LDAP, SMB)
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
GPO based Startup Script Execution
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
Kerberos Auth (User Account)
User GPOs Loading (Async)
802.1X Machine Auth
GINA
802.1X User Auth
Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
GPO based Logon Script Execution (SMB)
User VLAN
X X X
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 151
Dynamic VLAN Assignment Best Practices
Vista SP2 or Windows 7:
• No Restrictions on VLAN assignment
• Vista and Win7 Can Renegotiate Secure Connection with AD when IP Address Changes
XP and earlier:
• Use Only Machine Authentication OR…
• Use the Same VLAN for User and Machine Authentication
Reconsider ACLs if you don‘t need segmentation.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 152
High Security: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Engineers 802.1X Success
Machines 802.1X Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail
All
None (AAA server down)
Authorization Implementation
None Closed Mode
Enterprise Access Default DATA VLAN
Enterprise Access Default DATA VLAN
Voice Access Voice VLAN
Engineer Access ENG VLAN
Machine Access MACHINE VLAN
Limited Access
Enterprise Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 153
DEMO Time Machine VLAN
ACS: using AD groups for Authorization Rules
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 154
High Security: Unknown Devices
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 155
Flex-Auth for Unknown Devices Agentless Devices in High Security Mode
Configurable behavior after 802.1X timeout :
Configurable behavior after 802.1X failure:
Configurable order and priority of authentication methods
Configurable behavior before & after AAA server dies
Flex-Auth enables a single configuration for most use cases
1) Next-Method
2) Guest VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 156
Non-802.1X Client Guest VLAN
Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)
A device is only deployed into the guest VLAN based on the lack of response to the switch‘s EAP-Request-Identity frames (which can be thought of as 802.1X hellos)
No further security or authentication to be applied. It‘s as if the administrator de-configured 802.1X, and hard-set the port into the specified VLAN
Client 802.1X Process
EAP-Identity-Request D = 01.80.c2.00.00.03 2 30-seconds X
EAP-Identity-Request D = 01.80.c2.00.00.03
Upon link up X 1
EAP-Success D = 01.80.c2.00.00.03 30-seconds 4 √
Port Deployed into VLAN 51
3 EAP-Identity-Request D = 01.80.c2.00.00.03
30-seconds X
interface GigabitE 3/13 authentication port-control auto authentication event no-response action authorize vlan 51
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 157
802.1X with Guest VLAN Deployment Considerations
When a port moves to Guest VLAN, any number of additional MACs are allowed on the port without authenticating
Guest VLAN is a switch-local authorization -> centralized policy on AAA server is not enforced
Guest VLAN does not differentiate, e.g. guest users get the same access as a corporate printer
Guest VLAN can be fallback after 802.1X timeout and MAB fail
• Default timeout is 30 seconds with three retries (90 seconds total)
• 90 seconds > DHCP timeout.
802.1X timeout dependency -> delayed network access.
Guest VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 158
Guest VLAN and Web Auth Are Mutually Exclusive
802.1X
802.1X Timeout
MAB
MAB fails
Guest VLAN
802.1X
802.1X timeout
MAB
MAB fails
Web Auth
interface GigabitE 3/13 authentication port-control auto dot1x pae authenticator mab authentication event no-response action authorize vlan 40
interface GigabitE 3/13 authentication port-control auto dot1x pae authenticator mab authentication fallback WEB-AUTH
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 159
Flex-Auth for Unknown Devices Devices that Fail 802.1X in High Security Mode
Configurable behavior after 802.1X timeout :
Configurable behavior after 802.1X failure:
Configurable order and priority of authentication methods
Configurable behavior before & after AAA server dies
Flex-Auth enables a single configuration for most use cases
1) Next-Method
2) Guest VLAN 1) Next-Method
2) AuthFail VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 160
?
After 802.1X Failure
6506-2(config-if)#authentication event fail action authorize vlan 10
VLAN 10 User Unknown
Access Restricted to Auth-Fail VLAN
Supplicant expected to ―fail open‖
Now with RADIUS Accounting!
Failed 802.1X Auth-Fail VLAN Is An Alternative to Next-Method
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 161
802.1X with Auth-Fail VLAN Deployment Considerations
• Only alternatives: switch-initiated re-authentication or port bounce
Supplicant cannot exit the Auth-Fail VLAN
No Secondary Authentication Mechanism.
Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization -> centralized policy on AAA server is not enforced
Switch and AAA server have conflicting views of network (mitigated by new RADIUS accounting)
Auth-fail VLAN
Access Granted Access Denied
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 162
High Security: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Engineers 802.1X Success
Machines 802.1X Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail
All
None (AAA server down)
Authorization Implementation
None Closed Mode
Enterprise Access Default DATA VLAN
Enterprise Access Default DATA VLAN
Voice Access Voice VLAN
Engineer Access ENG VLAN
Machine Access MACHINE VLAN
Limited Access
Auth-Fail VLAN = Guest
VLAN = UNAUTH VLAN
Enterprise Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 163
Flex-Auth for Unknown Devices Devices are Unknown because AAA is Down
Configurable behavior after 802.1X timeout :
Configurable behavior after 802.1X failure:
Configurable order and priority of authentication methods
Configurable behavior before & after AAA server dies:
Flex-Auth enables a single configuration for most use cases
1) Next-Method
2) Guest VLAN 1) Next-Method
2) AuthFail VLAN
Critical VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 164
Inaccessible Authentication Bypass
EAPOL-Start
EAP-Success
• Switch detects AAA unavailable by one of two methods
1. Periodic probe
2. Failure to respond to AAA request
• Enables port in critical VLAN if defined, otherwise to switchport VLAN
• Existing sessions retain authorization status
• Applies to data devices only
• Recovery action can re-initialize port when AAA returns
WAN Internet
VPN Tunnel
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 165
RADIUS Server(s) Inaccessible
radius-server 10.1.10.50 test username KeepAliveUser key cisco
radius-server dead-criteria time 15 tries 3
radius-server deadtime 1
interface GigabitEthernet1/13
description Dot1x Demo with Auth-Fail VLAN
switchport access vlan 2
switchport mode access
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server alive action reinitialize
authentication order dot1x mab
dot1x pae authenticator
authentication port-control auto
dot1x timeout tx-period 10
dot1x max-req 2
mab
spanning-tree portfast
Critical VLAN can be anything: • Static VLAN
• Same as guest/auth-fail VLAN
• New VLAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 166
High Security: Network Access Table
Endpoints Authentication Status
All (including PXE) Pre-Auth
Employees 802.1X Success
Corporate Asset MAB Success
Phones 802.1X or MAB Success
Engineers 802.1X Success
Machines 802.1X Success
Unknown /
Unauthorized
802.1X Fail/Timeout ->
MAB Fail
All
None (AAA server down)
Authorization Implementation
None Closed Mode
Enterprise Access Default DATA VLAN
Enterprise Access Default DATA VLAN
Voice Access Voice VLAN
Engineer Access ENG VLAN
Machine Access MACHINE VLAN
Limited Access
Auth-Fail VLAN = Guest
VLAN = UNAUTH VLAN
Enterprise Access
Critical VLAN
Mobility, Agility and Security
Université de Montréal
Wired 802.1X Network Access control
Speaker: Michel L‘Heureux, ing. PMP
Networking department manager at
Université de Montréal - DGTIC
June 2010
Université de Montréal
• A Major University
– Founded in 1878, Université de Montréal, with its two affiliated
schools: École Polytechnique and HEC Montréal, is now the
largest university in Quebec and the second largest in Canada.
– Deeply rooted in Montreal and dedicated to its international
mission, the Université de Montréal is one of the top universities
in the French-speaking world.
– With its 13 programs, 80 departments and schools, the Université
de Montréal offers programs in almost all academic fields
– The University earmarks close to $460 million for basic and
applied research each year, making it Canada's second most
active university in the field.
A Network for the Future
• Network architecture project started in 2007
– Objective: Become one of the best University Campus network
• Switching
– Backbone upgrade to 10 Gb/s, MPLS in the Core
– VSS for core redundancy and replace spanning-tree
– Catalyst 6500E for Core and Distribution
– Catalyst 4500E for 1 Gb/s network Access
• IP Telephony
– 9000 IP Phones
– Call manager v7, 2 Unity, 3 IPCC, 5 SRST
• Wifi
– 2500 Access Points 802.11n
• Security
– 802.1X authentication for all wired ports and wifi access
Switching – routing infrastructure
– 80% completed
IP Telephony
– 80% completed
Wifi
– 60% completed
Security
– More than a thousand 802.1X-enabled wired ports
– 25000 ports planned
As we speak
An internal audit performed in 2005 demonstrated
the University network access did not comply with
security best practices.
Private and distinct network from the Internet 132.204.x.x -> 10.x.x.x
Access control and secured (authentication) 802.1X for each wired network port
Network segmentation based on user role
(Community). Employee, Student and guest
Infrastructure community
Network security
User community: • Based on user role
• Assign from top security level.
Community segmentation
Workstations Security needs Risk
Employees Consult and manage
confidential
information
Lower risk for
managed workstations
(SCCM, Anti-virus,
GPO)
Students Basic + school work High due to
unmanaged
workstation
Guest Basic Very High -- unknown
workstation
Isolating the communities
Needs to reinforce new services for collaboration between different user communities
File sharing
Printing
Better use of central ressources
Community segmentation
Univ de Montréal 802.1X deployment
• Use of centralized and unique AD accounts
through Cisco ACS Radius servers
• Used of OS native « Supplicant » whenever
possible. XP, Win7 and MAC
– Credentials: AD Password
– EAP Method: PEAP-MSCHAPv2
• A university managed workstation (registered on
the AD domain) must do both Machine & User
authentication. All others do only User auth.
Univ de Montréal 802.1X deployment (cont)
• Faculty Staff, students and guests are invited
(and encouraged) to use 802.1X configuration
with a supplicant
• Exceptions
– IP Phones are not 802.1X aware (except G series) so
CDP is used to bypass 802.1X
– Web Auth is used for the first time user and for
workstations not supporting supplicant
– MAB (Mac Authentication Bypass) For device not
supporting supplicant with no possibility to do Webauth
(Printer, surveillance cameras, etc.)
– Critical Auth VLAN
Dynamic VLAN assignment
• How many VLANs are used?
– One VRF for each ―community‖
• How do you managed VLAN assignment for
users vs. machines ?
– 1 VLAN per community per switch
– Machines do not get a ―community‖ Vlan. They land in
a pre-auth VLAN
Dynamic VLAN assignment
Environment Diversity snapshot
1. Remote access
Remote access (RDP)
Remote access Mac/Apple
Net Support School
2. Licenses servers
Windows 7
Adobe, Sequencher, FileMaker, MatLab and others
3. Startup services
NetBoot (Mac/Apple)
4. Linux SSH, LDAP, Kerberos, NIS, NFS / Samba, Rdist, rsync, scp, puppet
5. Other cold imaging, backup and recovery software GHOST RedHat Network / YUM, Yellowdog Updater Modifier SCCM2007 (System Center Configuration Manager)
• « GHOSTing machines »
• Use of MAB to configure GHOST environment
• Remote Desktop Windows
• Must leave the desktop ‗‘logged in‘‘ and locked
Challenge and solutions
• WebAuth on Catalyst 4500
• « Authentication timeout », this issue produced a forced re-
auth after 30 min. Users would loose their session everytime.
Could not configure this through normal timeout control. This
was escalated to Cisco.
• Early Fix was supplied to correct this. Waiting for the next IOS
release 12.2.53 SG3 for full permanent integration.
• Webauth portal login page unable to display any custom
images or logo.
• Webauth portal login page cannot redirect the user to any
other pages or Web site
Challenge and solutions (cont)
• « Apple Net Boot »
• Very limited fonctionnality in a routed environment
• Challenge implementing 802.1X config
• Support for scripting is only available from 10.6.2 OS
Challenge and solutions (cont)
• A few advises for proper deployment:
• Problems are not so much in the 802.1X protocol but more in
the operational aspect of the deployment.
• Careful definition and identification of the users needs is
mandatory.
• Cisco doesn‘t supply tools to integrate 802.1X in an
heterogeneous environment like a university campus.
• Monitoring and troubleshooting
• At deployment time, prepare to cope with a flow of help-
desk calls
• Plan in building your own processes and tools.
Lessons Learned
Questions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 184
Advanced Features
NEAT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 185
Enterprise
Network
NEAT Problem Statement & Drivers
Result
Customers want network device authentication to mitigate these types of security threats
Network Device Identity
Compact switches like Cisco Catalyst 8-port 3560 or 2960 will be deployed in an unsecured area such as cubicles, conference rooms, etc.
outside the secured wiring closet
Customers requirement is to have (network) device based access control for tighter security
These network devices can potentially be swapped with hacker devices to gain network access, compromising the network security
Access
Blocked Access
gained
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 186
Authorized
Remove MAC per
notifications
Port Status
Authorized
Only Allow MAC of
Auth’d Host
Port Status
Authorized
Allow MACs Advertised
By Auth’d Switch
Port Status
Network Edge Authentication Topology Network Edge Trust Extension
Authorized
Only Allow MAC of
Auth’d Switch
Port Status
Wall Jack in
Conf Room
Wiring Closet
Switch
Campus
LAN
Switch
Authentication
Port Status
Un-
Authorized
Machine Auth
Port Status
Un-
Authorized
Advertise MAC of
Authenticated Host
Advertise MAC removal
based on aging or linkdown
•Disconnect
•Power down
•Or Logoff
Conf Room
Compact Switch
AAA
Extend Trust to into physically unsecured locations (e.g., conference room, cubical, etc.)
Secure access control for shared media access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 187
Advanced Features CoA
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 188
RADIUS Change of Authorization (CoA)
• Terminates session
RFC 3576: Defines ―Packet of Disconnect‖
• Terminate session
• Re-authenticate
• Port bounce
• Port down
Cisco has extended support for CoA
Each type of Action has specific use case support
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 189
CoA – Use Cases
• CoA can reauth or terminate a session can retrigger authentication to try authentication after remediation
Failed Authentication with Failed Auth VLAN
• After Profiling or other change order an agentless devices may need it‘s IP changed
• CoA with Port Bounce can be used to reset the IP stack on an agentless device
Adding new mac addresses to the network
• CoA with Port Down is a emergency shut off of a port. It can only be re-enabled by CLI
Abnormal/Destructive behavior is observed on the network
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 190
RADIUS Change of Authorization (CoA)
Auth Fail
VLAN Corp
VLAN
1 End point fails authentication,
gets assigned to Auth-FailVLAN
2 End point remediates itself
3 A RADIUS CoA is issued with Reauthenticate
4 Client is authenticated via dot1x and assigned
a Corp VLAN
Dynamic session control from a Policy server Re-authenticate session
Terminate session
Terminate session with port bounce
Disable host port
Session Query
For Active Services
For Complete Identity
Service Specific
Service Activate
Service De-activate
Service Query
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 191
Advanced Features 802.1X Rev
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 192
Identity 4.1 Feature: 802.1X-Rev MACSec and MKA
Wiring Closet
Switch
Campus
LAN AAA
1 User bob connects
2 Bob‘s policy indicates end point must encrypt
3 Key exchange using MKA, 802.1AE encryption complete
User is placed in Corp VLAN
Session is secured
4 User steve connects
User: bob
Policy: encryption
User: steve
Policy: encryption
5 Steve‘s policy indicates end point must encrypt
6 End point is not MACSec enabled
Assigned to Guest VLAN
802.1X-Rev Components
- MACSec enabled switches (Incredibles)
- AAA server 802.1X-Rev aware
- Supplicant supporting MKA and 802.1AE encryption
Non-
MACSec
enabled
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 193
Advanced Features Monitoring & Troubleshooting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 194
Monitoring and Troubleshooting
ACS 5.1 Monitoring & Troubleshooting
IOS Switches ACS Servers
Troubleshooting
Expert Troubleshooting Tool
Troubleshooting Workflow
–Authentication Failure
–Authorization Failure
Switch log failure analysis
SNMP, Syslog, CLI, Netflow
Monitoring User Reporting
Where, when, how connected
How long, how often
Last passed, last failed
Switch Log Reporting
System Reporting
Pass/Fail ratio
Device Reporting
Profile History
Status of profiled device
Alerts
Unknown NAS
New ACS, new NAD
External DB unavailable
Failed Auths thresholds
Passed auths thresholds
AAA down
Syslog
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 195
ACS 5.1 Uses Multiple Sources of Information For Monitoring/Troubleshooting
Sources
• RADIUS logs
• Syslog from ACS(s)
• Syslog from Switches
• CLI
• SNMP
ACS 5.1 Tools
• Authentication Reports
• Session Directory
• Configuration Validator
• Network Device & Session Details
• Expert Troubleshooter
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 196
Configuration Validator
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 197
On Demand SNMP Polling
MIB-II (RFC-1213-MIB)
INTERFACE-MIB
IEEEE8021-PAE-MIB
CISCO-PAE-MIB
CISCO-AUTH-FRAMEWORK-MIB
CISCO-MAB-MIB
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 198
Centralized View of Switch Syslogs
Authentication passed (credentials were good) but switch was unable to apply
authorization instructions (e.g. bad VLAN assignment).
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 199
Expert Troubleshooter
Research failures by troubleshooting workflows
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 200
Session Summary
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 201
Authorization
Authentication Phones
Desktops Wireless
Policy & Organization
EAP, PKI, DBs
Supplicants,
Re-Auth,
Agentless
Pre-Auth, VLAN,
ACL, Failed
Auth, AAA down
MDA, voice
VSA, MAB
behind phone
PXE, WoL, VM,
Windows GPO,
login scripts,
machine auth,
remote desktop
Guest solution?
Implicit reliance
on wired?
Teamwork:
Network, IT, Desktop
Policy:
definition & enforcement
Deployment Considerations In a Nutshell
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 202
Summary
802.1X improves enterprise security
802.1X improves enterprise visibility
802.1X deployable now
New features have significantly simplified deployment
Deployment scenarios can be used as a starting point
802.1X is not only a network project, it affects the whole IT organization
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 203